Enable TLS frontend for repo_server by default

We aim to secure traffic from haproxy to repo backends with TLS[1]. But there is no point in doing that unless the traffic to haproxy frontend is encrypted. This patch enables TLS on repo frontend when `haproxy_ssl_all_vips` is enabled. [1] https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/876429 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/877429 Change-Id: I9f0f40977b13a150e30f000dee8d7309bbffe74f
2023-03-29 21:41:55 +02:00 · 2023-03-29 21:41:55 +02:00 · f600f995e4
commit f600f995e4
parent 9e7ecc93d3
2 changed files with 3 additions and 1 deletions
--- a/inventory/group_vars/haproxy/haproxy.yml
+++ b/inventory/group_vars/haproxy/haproxy.yml
@ -538,6 +538,7 @@ haproxy_repo_service:
  haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
  haproxy_bind: "{{ [internal_lb_vip_address] }}"
  haproxy_port: 8181
+  haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
--- a/playbooks/defaults/source_install.yml
+++ b/playbooks/defaults/source_install.yml
@ -22,7 +22,8 @@ neutron_bin: "/openstack/venvs/neutron-{{ venv_tag }}/bin"
 repo_release_path: "{{ openstack_repo_url }}/os-releases/{{ openstack_release }}/{{ os_distro_version }}"

 ## OpenStack source options
-openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
+openstack_repo_protocol: "{{ openstack_service_internaluri_proto }}"
+openstack_repo_url: "{{ openstack_repo_protocol }}://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
 openstack_repo_git_url: "git://{{ internal_lb_vip_address }}"

 ## Delegate all service setup tasks to the utility host, and use the utility venv python interpreter